I'm building a multi-domain/multi-store ecommerce application in Laravel and would like to keep the user logged in when he or she changes from store to store.
But for as far as I know Laravel's Auth service saves the logged in user in the session and the sessions can't be accessed by other domains.
Is there a way (maybe a package) to achieve this, without leaving my application prone to possible security problems?
Thanks in advance!
Assume you have both domains as virtual servers on one machine and you havent called session_save_path() (or you have called it with the same directory on both servers), you can share sesssion using session_id('..'); For example if you have 2 domains, origin1. localhost and origin2.
Create a custom session driver to override database session used by Laravel default database session manager Implement polymorphic relation to LogoutOtherBrowserSessionsForm If you are not using database driver for session, this article might not for you.
Laravel made it easy. One way and the most short and basic way to share data to all views is to use view:share (). Let see and example. The same above example, you have your options table in you database and you want to access its data in your master.blade.php page or any there view.
By default, Laravel allows requests using the same session to execute concurrently. So, for example, if you use a JavaScript HTTP library to make two HTTP requests to your application, they will both execute at the same time.
Be sure to review the options available to you in this file. By default, Laravel is configured to use the file session driver, which will work well for many applications. If your application will be load balanced across multiple web servers, you should choose a centralized store that all servers can access, such as Redis or a database.
I know this is not exactly what was asked for, but, for development and testing purposes, I did this:
In config/session.php, try changing this line
'path' => '/',
Into this
'path' => '/;SameSite=None; secure',
allowed me to authenticate from different domains.
Now, you should be able to write a simple middleware to prevent unwanted hosts. Something like this.
namespace App\Http\Middleware;
use Illuminate\Http\Request;
use Closure;
class TrustedHosts{
public function handle($request, Closure $next){
//$host = $request->getHost();
$host = $request->headers->get('origin');
$enviroment = env('APP_ENV');
if ( $enviroment == 'development' ) {
$trustedHosts = array('localhost', 'dev.mydomain.com');
}
else {
$trustedHosts = array('anotherdomain.com', 'mydomain.com');
}
$isHostTrusted = in_array($host, $trustedHosts);
if ( !$isHostTrusted ) return response("I'm a teapot", 418); //Or any other code and message that you prefer.
return $next($request);
}
}
And group it in the middleware group that includes the session stuff.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With